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This module should be read in conjunction with the Introduction and with the 
Glossary, which contains an explanation of abbreviations and other terms used 
in this Manual. If reading on-line, click on blue underlined headings to activate 
hyperlinks to the relevant module. 


Purpose 


To set out the approach which the HKMA will adopt in the supervision of 
Als’ operational risk, and to provide guidance to Als on the key elements 
of effective operational risk management 


Classification 


A non-statutory guideline issued by the MA as a guidance note 


Previous guidelines superseded 
OR-1 “Operational Risk Management” (v.1) dated 28.11.05 


This de 


Application 
To all Als 


Structure 
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1.3 Legal framework 
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1. Introduction 


1.1 Background 


1.1.1. As set out4 
under section 2 of SA-i “Risk-based Supervisory 
Approach”, Als are generally subject to eight major types 
of risks - credit, market, interest rate, liquidity, operational, 
reputation, legal and strategic. They are expected to 
establish a sound and effective system to manage each of 
these risks. 


1.1.2 Operational risk is inherentpresent in virtuaty-all banking 
products, banktransactions-and-activities, processes and 


systems. It is defined under the capital standards issued 
by the Basel Committee underits revised framewerk_on 


Banking Supervision (BCBS)eapitalstandards_ter banks 


(BaseH!) as “the risk of loss resulting from inadequate or 
failed internal processes, people and systems or from 
external events”. This definition includes legal risk but 
excludes strategic and reputational risks. However, where 
appropriate, strategic and reputational risks should be 
considered under an Al's operational risk management 
framework (ORME). 


1.1.3 Operational risk has become an increasing issue everthe 


lastfew years-as banks: 
(a) rely more on increasingly complex automated 
technology; 


(b) develop more complex products; 

(c) are involved in large scale mergers and 
acquisitions; 

(d) initiate consolidation and internal reorganisation; 

(e) adopt techniques which are devised to mitigate 
other forms of risks (e.g. collateralisation, credit 
derivatives, netting and asset securitisation), but 


potentially create other forms of risk (e.g. legal risk); 
and 


(f) outsource some of their functions. 


Failure to implement proper processes and procedures to 
control operational risks has resulted in significant 


operational losses for some banks4+n-recent years. 
1.1.4 In March 2021, the BCBS issued the "Revisions to the 
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Principles for the Sound Management of Operational 
Risk" ! on which this module is primarily based. 
Superseding the BCBS "Principles for the Sound 
Management of Operational Risk" issued in 2003 (and 


revised in 2011 to address lessons from the Global 
Financial Crisis of 2007 - 09), the 2021 revisions 


incorporate further _quidance _to _ facilitate __banks' 
implementation of the principles, cover other important 
sources of operational risk, reflect the new operational risk 
framework in the Basel Ill reforms, and emphasize the 
importance _of the principles in ensuring operational 
resilience of banks 2. 


resilience of banks © .A#—Febriary2003,_the Basel 
Committee issued a paper entitled “Sound Practices forthe 








Management-and Superision—of Operational Risk—for 














1.2 Scope 
1.2.1 This module: 


(a) | sets out the HKMA’s supervisory approach to 
operational risk; and 


(e}—— provides guidance on the key elements of a sound 


6 eSetabons| Hs. yop cgesent ramowe 
oS 


provid eral sare Dp ie R 
Approach}_to—calculate—operational _tisk—capital 
Soetgoace Bese eee lee, 








1 https:/Awww.bis.org/bcbs/publ/d515. pdf. 


2 Please see the “Principles for operational resilience” issued by the Basel Committee in March 2021 
(https://www.bis.org/bcbs/publ/d516.htm). 
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1.2.2 


= 


In developing this module, the HKMA has made reference 
to: 


(a) the two sets of 2021 BCBS principles Paperissued 
] mentioned under para. 


pHheBaseSommiHee-as 
1.1.4 above and footnote 2; 


(b) Principle 25 of the “Core Principles for Effective 
Banking Supervision”’; and 


C the operational risk management policies and 
practices adopted by some international banks. 


ifv a ee el STC 
eperationalisk capital charge under BaseHt: 

*——the i perational_Hisk dawn lee seat 

° Principle 43—of the “Core Principles for Effective 














management—processes—for—controlling—other 
se torial . se BRcucing see gis mae (the 


Committee paperon“Core Principles Methodology” 
(1999)). 











For the ourpose_of this _guidance, there is no-standard 
nian of_materiaity eriticality ot signiticance i 
Hise nal pey a e neon i = KRSTE i s 
event—or—exposure —Als—may—ake—nto—account—both 


ewn-circumstances-andassess both the currentand future 
. hf hoi ital ged hi 
erreputation. 








1.3 Legal framework 


1.3.1 


Para. 10 of the Seventh Schedule to the Banking 
Ordinance requires Als to maintain on and after 
authorization adequate accounting systems and systems 
of control. These are essential for ensuring prudent and 
efficient running of the business, safeguarding the assets 
of the institution, minimising the risk of fraud, monitoring 
the risks to which the institution is exposed and complying 
with legislative and regulatory requirements. 


3 httos:/Awww.bis.org/basel_framework/standard/BCP.htm. 
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1.3.2 Para. 12 of the Seventh Schedule further requires Als to 
conduct their business with integrity, prudence, 
competence and in a manner which is not detrimental to 
the interests of depositors or potential depositors. As set 
out in the “Guide to Authorization”, the HKMA’s 
assessment of an institution's compliance with this 
paragraph will take account of, among other 
considerations, operational risk issues such as its ability to 
deal with external shocks and unexpected contingencies, 
competence in resistance to internal and external fraud 
and avoidance of operational errors, and quality of 
information and communication technology (ICT) + 
computer systems_and staff. 


1.3.3 Moreover, under§98-6f the Banking (Capital) Rules (BCR), 
any AlOrdinancerequires—all Als incorporated in Hong 
Kong is required to maintain adequate requlatorya capital 


calculated in accordance with the BCR, takingadequacy 
ratio of notless than 8%. The ratio will take- into account 


thean Al’s operational risk4n—additionto—creditisk_and 
rertketiciowres-asetsinolementecinteagKerg. 


1.4 Implementation 


1.4.1 The HKMA recognises that operational risk management 


aoa Se peteie o.sciethe ees 31 Se See 

ofdevelooment compared with _some_other areas_of tisk 
“ty d ee | 

exposures-are-stil-evolving—Fhe-guidance-therefore-sets 


out “sound practices” rather than “statutory requirements” 
en—operationaltsk_management—Als are expected to 
develop and implement an _ ORMFeperatienal isk 
management tramewerk consistent with the guidance in 
this module and commensurate with their nature, size, 
complexity, and risk profile as soon as practicable. The 
ORME should be reviewed regularly and kept up to date in 
the light of the evolving operating environment and 
operational risk management techniques. 























to-calculate the_capital charge for their operational risk 
2af te fi : 2 T gt Fa i ; APP i ane 
iceo-ooob epesaches. 
4ICT refers to the underlying physical and logical design of information technology and 


communication systems, the individual hardware and software components, data, and the operating 
environments. 
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1.5 Operational resilience 


1.5.1 Operational resilience refers to the ability of an Al to deliver 
critical operations © through disruptions. This _ability 
enables an Al to identify and protect itself from threats and 
potential failures, respond and adapt to, as well as recover 
and learn from disruptive events, in order to minimize their 
impact_on_ the delivery of critical operations through 
disruptions. In considering its operational resilience, an Al 
should assume that disruptions will occur, and take into 
account its overall risk appetite and tolerance for 


disruption © under_a_range of severe but plausible 
scenarios’. _ 


1.5.2 Although operational risk _management_and_ operational 
resilience address different goals, they are closely 
interconnected. An effective operational risk management 
system and a robust level of operational resilience work 
together to reduce the frequency and the impact_of 
operational risk events. When implementing the quidance 
in this module, an Al should also take into account relevant 
guidance issued by the HKMA in the SPM module OR-2 
"Operational Resilience". Specific guidance that links 
ORMF of an Al to its operational resilience / ability to 
ensure Critical operations delivery through disruptions is 
set out in paras. 2.2.4, 5.2.1 7:4:1, 1.24), 7.2.6 


7.4.7 (a) & (d), 8.1.3, 8.3.1 (footnote 21) and 8.3.2(a). 





2. Supervisory approach to operational risk 


2.1 Objectives and principles 
2.1.1 Each Al should develop and maintain an appropriate 


| ORMFọoperational=isk-—management-framework that is 
effective and efficient in identifying, assessing, monitoring 

| and controlling/mitigating operational risk, taking into 
— Bech esttitios adil esd te—eensicer its 
complexity, range of products and services, organisational 

| structure; and risk management culture-as+tdevelepsts 
operational risk management framework. 


2.1.2 The HKMA adopts a risk-based supervisory approach (see 








5 The term “critical operations” follows the meaning of the same term as defined in OR-2 “Operational 
Resilience”. 

6 The term “tolerance for disruption” follows the meaning of the same term as defined in OR-2 
“Operational Resilience”. 

7 The term “severe but plausible scenarios” follows the meaning of the same term as defined in OR-2 
“Operational Resilience”. 
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SA-1 “Risk-based Supervisory Approach”) which enables 
continuous supervision of Als’ operational risk through a 
combination of on-site examinations, off-site reviews and 
prudential meetings. The objective is to assess, among 
other things, the level and trend of the Al’s operational risk 
exposures and losses as well as the adequacy and 


effectiveness of its ORMF, taking into account the 


guidance set out in this module. eperatenal_sk 
In the case of a locally 


incorporated Al, the HKMA will also assess the adequacy 
of its capital relative to the size of its operational risk 
exposure. 


2.1.3 In assessing an Al’s exposure to and management of 
operational risk, the HKMA will have particular regard to 
the following factors: 


(a) the appropriateness of the Al’s ORMF: 
, including the level of 
oversight exercised by the Board of Directors 
(Board) and senior management, and risk culture; 


(b) the adequacy of strategies, policies and procedures 
for managing operational risk, including the 
definition of operational risk; 


(c) the adequacy of the operational risk management 
processes in identifying, assessing, monitoring and 
controlling operational risks; 


(d) the effectiveness of the Al’s operational risk 
mitigation efforts; 


(e) the adequacy and results of the Al’s internal review 
and audit of operational risk; 


(f) the findings and recommendations made in the 
management letter issued by the Al’s external 
auditors; 


(g) | the causes and impacts of significant operational 
risk events of the Al; 


(h) the Al’s procedures for the timely and effective 
resolution of operational risk events and 
vulnerabilities; and 


(i) the quality and comprehensiveness of the Al’s 
disaster recovery and business continuity plans. 


2.1.4 Where necessary, the HKMA will coordinate and exchange 
information with other relevant supervisors to facilitate the 
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2.2 


evaluation of an Al’s ORMF. 








public_disclosure to_allow market participants to_assess 
connection_mere—guidance—will_be—set_out_in_the 


idoli ho_disc! 








Supervisory processes 


2.2.1 


2.2.2 


2.2.3 


2.2.4 


Every Al is subject to the examination of the effectiveness 
of its ORMFoperationalhisk management framework by 
the HKMA. In addition, the HKMA has the power under 
§59(2) of the Banking Ordinance to require external 
auditors’ reports to be submitted on an ad hoc basis 
covering Als’ internal control systems. 


In determining the minimum capital adequacy ratio to be 
ebserved—_by—The HKMA also monitors a locally 
incorporated Al’s compliance with the capital 


requirementsA} under §98—efthe BCR, takingBanking 
Ordinance, the HKMA currently takes into account the Al’s 


exposure to operational risk. Methodology for calculating 
thea-specific capital charge for operational risk iseftecally 
incerperated Als—wit_be set out in the BCRBanking 
(Capital) Rules_prescribed by the MA under the Banking 
Sep eese, 

Als are expected to notify the HKMA of any event(s) that 
may have a significant impact on their operations. Such 
events may include: 








(a) a significant operational loss/exposure that has 
been incurred/identified; 


(b) a significant failure in their systems or controls; 


(c) an intention to enter into an insourcing/outsourcing 
arrangement in respect of a banking related 
business area (including back office activities), or to 
make changes to or amend the scope of their 
insourcing/outsourcing of such areas; 


(d) any significan changes in organisation, 
infrastructure or business operating environment; 
and 


(e) the invocation of a business continuity plan. 
Upon receiving notification of the above events, and if the 


situation-as-determinedbythe HKMA warrants, the HKMA 
9 
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may require the reporting Al to submit a report to it 
analysing the causes/purposes and impacts of the event 
as well as setting out the action plan to rectify any 
weaknesses identified or the contingency plan in dealing 
with failure inarising from an intended change. In any 
case, after an operational risk incident, an Al should 
assess threats and vulnerabilities that affect the delivery of 
its critical operations again, taking into account lessons 
learned and new threats and vulnerabilities that caused the 
incident. The HKMA also expects that any controls and 


procedures implemented to address those threats and 
vulnerabilities should be reviewed from time to time to 


ensure their continued effectiveness. 


2.2.5 Serious lapses or deficiencies in internal controls of an 
institution can constitute an unsafe and unsound practice 
and possibly lead to significant losses or otherwise 
compromise the financial integrity of the institution. If 
appropriate, the MA will initiate supervisory actions if 
material deficiencies or situations that threaten the safe 
and sound conduct of the institution’s activities are not 
adequately addressed in a timely manner. Such 
supervisory actions may include the requirement of an 
independent special review report on the problem area, 
attachment of a condition to the consent of authorization 

| limiting the level of business activity involved, or 
suspension of the activity completely, enforcement actions 
against the institution or its responsible directors and 


| managers, or both, and weuld-+equirethe—immediate 


implementation of all necessary corrective measures. 


2.2.6 An Al should strive to improve its operational risk 
management framework on_an ongoing basis. Where 
necessary, the HKMA will monitor, compare and evaluate 
the improvements achieved by an Al and its plans for 
prospective developments during the course of its risk- 
based supervision. 


3. Operational risk management framework 


3.1 Overview 


3.1.1 _An Al should develop, implement and maintain an ORMF 
that_is fully integrated into its overall risk management 
processes. The ORMF should be embedded across all 
levels of the organization including group and business 
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units ê as well as new_business initiatives, products, 
activities, processes and systems. In addition, results of 
the Al’s_operational_risk assessment should be 
incorporated into its overall business strategy development 
process. 





Sa AA Aine OE eimai sisal didi adeeb eed 


esd tg sede hear cla eae a ach ce cee 
such—as—credit risk and market risk for increased risk 


awareness, protection of reputation, reduced losses, and 
Ii oni ae 
eo 











3.2 An appropriate framework 
3.2.1 Regardless oHts size or complexity, each Ais expected to 


Jorgos _S pereee ote ea neo —_io-- a neciag, 
eperationalisk_The objective of an ORMFeperationalisk 
managementtramewerk is to ensure that operational risks 


are consistently and comprehensively identified, assessed, 
mitigated/controlled, monitored and reported. 


3.2.2 For the purpose of this moduleguidance, an appropriate 


ORMF should contain the majoreperatternalrisk 
management framework is-_considered to-consist of these 


components set out below: 


(a) risk governanceerganisational structure (including 
Board andeversight senior management oversight) 


and risk culture — see section 4; 





fa}(b) risk management structure made up of three 


responsibilities, roles of a i e. business 
line management __ (first line defence), 
independent _corporate e T risk 
management function (CORF, second line of 
defence?) and independent assurance (third line of 
defence) — see section 5:andinternataudi}: 


8 The term “business unit” is meant broadly to include all associated support, corporate and/or shared 
service functions, e.g. Finance, Human Resources and Operations and Technology. However, Risk 
Management and Internal Audit are not included unless otherwise specifically indicated. 

9 In addition to a CORF, the second line of defence also typically includes a Compliance function. 
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{p\(c)_strategy-and_oclicy (operational risk management 


strategy, policies and procedures — see section 6;} 





{e}(d) operational risk management process {the 


precesses—to identify, 


assess, monitor, 


control/mitigate and report operational risk — see 


section 7;} 


(e) specific aspects of operational risk management 
including change management, ICT and business 
continuity planning — see section 8; and 


(f) disclosure — see section 9. 


3.2.3 In practice, an Al’s ORMFeperationalisk famewerk must 


reflect the scope and complexity of business lines, range 
of products and_services,as—welt—as—the corporate 
organisational structure, and risk management culture. 
Each Al’s operational risk profile is unique and requires a 
tailored risk management approach appropriate for the 
scale and materiality of the risks present, and size of the 
institution.thereis_ne_single framework that would suit 








even netinion otersh_epercaches im _beneecec tor 
different institutions._tn fact the banking industry—and 
Sapo te pene TEn develop E 


Hoesen 


3.2.4 Nevertheless, the three lines of defence model has been 





widely adopted in the industry with varied degrees of 
implementation formality. Als should adopt this model 
adequately and proportionately to manage every kind of 
operational risk subcategory, including ICT risk, and be 
able to demonstrate that the model is operating 
satisfactorily and to explain how the Board (or an 
independent committee of the Board) and senior 
management ensure that the model is implemented and 
operating in an appropriate manner. They should ensure 


that each line of defence: 


(a) is adequately resourced in terms of budget, tools 


and staff; 


(b) has clearly defined roles and responsibilities; 
(c) is continuously and adequately trained; 


d romotes a sound risk management culture across 


the Al; and 
12 
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(e) communicates with the other lines of defence to 
reinforce the ORMF. 


3.2.5 The components of the ORMF should be fully integrated 
into the overall risk management processes of the Al by 
the first line of defence, adequately reviewed and 
challenged by the second line of defence, and 
independently reviewed by the third line of defence. 


3.2.6 If in one business unit there are functions of both the first 
and second line of defence, the Al should document and 
distinguish the responsibilities of such functions in the first 
and second line of defence, emphasising the 
independence of the second line of defence. 





4. Risk governance 


4.1 Overview 


4.1.1 Operational risk management requires the attention and 
involvement of a wide variety of organisational 
components, each of which has different responsibilities. 
It is essential that each of the organisational components 
clearly understands its roles, authority levels and 
accountabilities under the institution’s organisational and 
risk management structure. All business and support 
functions should be an integral part of the overall ORMF. 
eperationaltisk—__management—tramework. The 
establishment of a a CORFanindependent centratised-tisk 
managementiunction can assist the Board and senior 


management in meeting their responsibility for 
understanding and managing operational risk. Moreover, 
although certain staff may be charged with specific 
responsibilities in relation to operational risk, all staff of the 
institution should play a role in the identification and 
management of operational risk. 


4.2 Board oversight 


4.2.1 The responsibility for operational risk management 
ultimately rests with the Board of an Al. To discharge this 
responsibility, the Board; (or its delegated committee); 


should_approve and periodically review the following: 
(a) the ORMF; and 


b the risk appetite and tolerance statement and risk 
limits for operational risk. 
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ORMF 


4.2.2 To ensure that the ORMF is suitable and will be working 
effectively for the Al, the Board or its delegated 
committee(s) should: 


(a) understand the nature and complexity of the risks 
inherent in the portfolio of the Al’s products, 
services, activities, and systems; 


(b) establish a risk culture and ensure that the Al has 
adequate processes for understanding the nature 
and scope of the operational risk inherent in its 
current and planned strategies and activities; 


(c) establish clear lines of management responsibility 
and__accountability for implementing a_ strong 
internal control environment with appropriate 
independence/segregation of duties between 
CORF, business units and support functions; 


d ensure that the operational risk management 
processes are subject to comprehensive and 
dynamic oversight and are fully integrated into, or 
coordinated with, the overall framework _ for 
managing all risks across the Al: 

e rovide senior management with clear guidance 
regarding the principles underlying the ORME, and 
approve the corresponding policies developed by 
senior management under these principles; 


f regularly review and evaluate the ORMF’s 
effectiveness to ensure that the Al has identified 
and is managing the operational risk arising from 
external market changes and other environmental 
factors, as well as those operational risks 
associated with new products, activities, processes 
or systems (including in relation to the application of 
ICT — see section 8.2), including changes in risk 

rofiles and priorities (e.g. changing business 


volumes); 


(g) ensure that the Al’s ORME is subject to effective 


independent review by the third line of defence 
audit or other appropriately trained independent 


third parties from external sources); and 
h ensure that, as best practice evolves, management 
is availing themselves of these advances. 
14 
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risk_as—a_distinct category of tisk that should be 
managed; 

define the operational joi H and a that 
e tac Sige ie BEATS OVOrA BUSINESS 





; WA icy ik 
hichai site f wa o oa 
operational _tisk—of the Al, the Al’'s—principles 
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necessary steps to implement appropriate policies, 
ithin_the institution’ 


HAS SES Sp 
HOPES 


° review the risk management framework regularly to 
hat the ALi ae naka ol 
from—external—_market—changes—and—other 
systems; 
«——_ensure_that the Al’s_operational_ risk management 
sjesiddcpabi — ae Saleen and 
ia i a belies: 


J 























staff-and 
GMSUFS compliance with nes á latory—disclosure 
Risk appetite and tolerance statement and risk limits 


4.2.3 The risk appetite and tolerance statement for operational 
risk _should articulate the nature, types and levels of 
operational risk that the bank is willing to assume. It should 
be developed under the authority of the Board and linked 
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to the Al’s short- and long-term strategic and_ financial 
plans. Taking into account the interests of the Al’s 
customers and shareholders as well as _requlatory 


requirements, an effective risk appetite and tolerance 
statement should: 


(a) be easy to communicate and therefore easy for all 


stakeholders to understand; 


(b) include _ key background _information —_ and 
assumptions that informed the Al’s business plans 
at the time it was approved; 


(c) include _statements that clearly _articulate _the 


motivations for taking on or avoiding certain types 
of risk, and establish boundaries or indicators 


which may be quantitative or not) to enable 
monitoring of these risks; 


(d) ensure that the strategy and risk limits of business 
units and legal entities, as relevant, align with the 
bank-wide risk appetite statement; and 


(e) be forward-looking and, where applicable, subject 
to scenario and stress testing to ensure that the Al 
understands what events might push it outside its 
risk appetite and tolerance statement. 


4.2.4 The Board should review regularly the risk appetite and 
tolerance statement and the appropriateness of the 
operational risk limits. This review should consider the 
current and expected changes in the external environment 
including the regulatory context across all jurisdictions 
where the institution provides services); ongoing or 
forthcoming material increases in business or activity 
volumes; the quality of the control environment; the 
effectiveness of risk management or mitigation strategies; 
loss experience; and the frequency, volume or nature of 
limit breaches. The Board should also monitor 
management adherence to the risk appetite and tolerance 


statement and provide for timely detection and remediation 
of breaches. 





4.3 Senior management responsibilities 


0 Be cdecounet she le naeh onbor 
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management should develop for approval by the Board a 
clear, effective and robust governance structure with well- 
defined, transparent and consistent lines of responsibility 


for operational risk management. 


4.3.2 An Al’s governance structure should be commensurate 
with the nature, size, complexity and _ risk profile of its 
activities. When designing the operational risk governance 
structure, an Al should take into account the following 


sound industry practices: 


° Committee structure — A large and more complex 
Al establishes one _or_more _operational _risk 
management committees which report to the Board 
level risk management committee. Depending on 
the nature, size and complexity of the Al, there may 
be operational risk committees by country, business 
or functional area. Smaller and less complex Als 
may establish just one risk management committee 
overseeing all risks without a separate operational 


risk management committee; 


° Committee composition — An operational risk 
management committee (or the risk management 
committee for a smaller Al) includes members with 
a variety of expertise, covering business activities, 
financial activities, legal, technological and 
regulatory matters and __ independent ___risk 


management; 


° Committee operation -— Committee _meeting 
should be held at appropriate frequencies with 
adequate time and resources to permit productive 
discussion and _decision-making. Records _of 


committee operations should be adequate to permit 
review and evaluation of committee effectiveness. 


4.3.3 Senior management is responsible for implementing the 
ORME approved by the Board through the development of 
specific policies, processes and procedures that can be 
implemented and_verified within business units for 
managing operational risk. Such policies, processes and 
procedures should be consistently implemented and 
maintained throughout the organization for the 
management of operational risk in all of the Al’s material 
products, activities, processes and systems, in alignment 
with the Al’s risk appetite and tolerance statement. 
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4.3.4 In order to ensure that operational risk management 
policies and procedures are clearly understood and 
executed, senior management should define the Al’s 
organisational structure for operational risk management 
and communicate individual roles and responsibilities. It is 
essential that staff at all levels in the institution clearly 
understand their individual roles in the operational risk 
management process. 


4.3.5 While each level of management is responsible for the 
appropriateness and effectiveness of policies, processes, 
procedures and controls within its purview, senior 
management should clearly assign authority, responsibility 
and reporting relationships to encourage and maintain this 
accountability, and ensure that the necessary resources 
are available to manage operational risk effectively in line 
with the Al’s risk appetite and risk tolerance statement. 
They should also ensure that staff responsible for 
monitoring and enforcing compliance with the Al’s 
operational risk policy have authority independent from the 
units they oversee. Moreover, senior management should 
assess and ensure the appropriateness of the operational 
risk management process in the light of the risks inherent 
in a business unit’s activities. 


4.3.6 Senior management is-atse responsible for ensuring that 
sufficient human and technical resources are devoted for 
operational risk management such that the Al’s activities 
are conducted by qualified staff with the necessary 
experience, —ang technical capabilities and access to 
resources. 


4.3.7 Senior management should ensure that staff responsible 
for managing operational risk coordinate and communicate 
effectively with staff responsible for managing other risks 
such _ as credit, market, etc., as well as with those 
responsible for the procurement of external services such 
as _insurance risk transfer and other third-party 
arrangements (including outsourcing). Failure to do so 
could result _in_significant_gaps or overlaps in the Al’s 
overall risk management programme. 


4.3.8 Senior management is responsible for establishing and 
maintaining robust challenge mechanisms and processes 
for resolving operational issues, including systems _ to 
report, track and escalate issues to ensure their resolution. 


4.3.9 Since operational risk management is evolving and the 
business environment_is constantly changing, senior 
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management should ensure that the ORME (in particular 
policies, processes and systems) remain sufficiently robust 
to manage and ensure that operational losses are 
adequately addressed in a timely manner. Improvements 
in operational risk depend heavily on senior management's 
willingness to be proactive and also act promptly and 


appropriately to address operational risk managers’ 
concerns. 


4.3.10 See also CG-1 “Corporate Governance of Locally 
Incorporated Authorized Institutions” for general guidance 
on corporate governance. 


4.4 Risk culture 


4.4.1__The Board and senior management of an Al also have an 
important responsibility in fostering a positive risk culture 
on which a successful ORMF (particularly in respect of the 
effectiveness of the processes in that framework) depends. 
In general, the Board should take the lead in establishing 
a strong risk management culture for the Al, which should 
be implemented by the senior management. 


— “-Shocesstilooosioqelsslameescc er Hran ewok aeg 





in particular, effectiveness of the processes in_that 








—An Al’s 


risk culture encompasses the general awareness, attitude 
and behaviour of its employees to risk and the 
management of risk within the organisation. Factors 
contributing to a positive risk culture include: 


(a) 


© 


An Aľs business objectives and risk appetite, 
operational risk management framework and the 
related roles,-and responsibilities and authorities of 
relevant staff in implementing the framework must 
be clearly set out and communicated by the senior 
management to staffatall fevels-andthe-staff within 
the organization in order for them _tosheuld 
understand their responsibilities with respect to 
operational risk management. 


The Board and senior management should provide 
strong and consistent support for operational risk 
management and ethical behavior, convincingly 
reinforcing codes of conduct _and _ ethics, 


compensation strategies and training programmes. 
Senior management must have an ongoing role 


throughout the risk management process and send 
out a consistent message to the whole organisation 
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that the Board and senior managementthey are fully 
supportive of the risk management framework 


through their actions and words. 


(c) The Board and senior management should 
communicate a culture emphasising high standards 


of ethical behaviour and prohibiting conflicts of 
interest _or inappropriate provision of financial 
services (whether willful or negligent) at all levels of 
the Al. This can be achieveddemenstrated through 
the establishment and application to both staff and 
Board membersadeption-of a code of conduct*®, or 

an ethic policy, and by members of the Board and 
senior management setting the example of 


following it. The code or relevant policy should be 
regularly reviewed and approved by the Board and 
attested by employees. Its implementation should 
be overseen by a board level committee and should 
be made publicly available (e.g. on the Al's 
website). A separate code of conduct_may be 
established for specific positions in the Al (e.g. 
treasury dealers and senior management). 


must _be—carred—out by aualified staff withthe 
: baca biliti | 
adequate access to resources. 

(d) Senior management should ensure that appropriate 
operational risk management and ethical behavior 
training is available at_all levels throughout the 
organization, such_as heads of business units, 
heads of internal controls and senior managers. 
Training provided should reflect the seniority, role 


and responsibilities of the individuals for whom it is 
intended. 





(e) | The Al’s remuneration policies must be consistent 
with its appetite and tolerance for risk as well as 


overall safety and soundness. lt must also 


appropriately balancefer risk_and_ reward '' . 
Performance incentives should include 











11 See pas BCBS Report on the range of Kenon for the risk and performance alignment of 

remuneration, May 2011; Financial Stability Forum Principles for sound compensation practices, April 
2009; Financial Stability Board FSB principles for sound compensation practices — implementation 
standards, September 2009 and the Financial Stability Board’s toolkit Strengthening Governance 
Frameworks to Mitigate Misconduct Risk, April 2018. 
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consideration of risk management and its design 
should not provide incentives to people to operate 
contrary to the desired risk management values e.g. 
established position limits. 


(f) There must be an environment in which staff can 
speak out and raise operational risk problems 
openly without fear of negative consequences. 


4.4.3 An Al should also refer to the following SPM modules for 


general guidance relating to sound risk management 
culture: 


(a) CG-1 “Corporate Governance __of __Locally 
Incorporated Authorized Institutions”; 

(b) IC-1 “Risk Management Framework”; 

(c) CG-3 “Code of Conduct”; and 


(d) CG-5 “Guideline on a Sound Remuneration 


5. Three lines of defence 


5.1 Business unit Reles-of businesstine-management (first line of 
defence) 


5.1.1 Business _unit+tiae management is accountable on a day- 
to-day basis for identifying, managing and reporting 
operational risks specific to a business unit. thei- business 
units. They mustensure thatinternal controls and practices 
Yep LS eo SS O 


elycisticie scooters epic stcuicecsurotiet 











sigtt ete piacsicissegecperctonel siete pete. 
products_activitiesand orecesses. Implementation of the 
ss @eratonatoskrrearnagement Framework within 


each business unittine should reflect the scope of that 
business unitne and its inherent operational complexity 


and operational risk profile '*. Business unitline 
management must be independent of the Al’s firm-wide 
CORFeperationalisk managementtunction. 


12 Operational risk profile describes the operational risk exposures and control environment 
assessments of business units and considers the range of potential impacts that could arise from 
estimates of expected to severe losses. The profile generally provides management and the Board 
with a representation of operational risk exposures at a level which supports their decision-making 
and oversight responsibilities. 
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5.1.2 To facilitate management of operational risk within each 
business unit, good practice suggests that there should be 
dedicated operational risk staff at the business units. 
These staff members usually have dual reporting lines. 
While they have a direct reporting relationship in the 
business unit, they work closely with the CORFeerntralisk 
managementiunction to assure consistency of policy and 
tools, as well as to report results and issues. _Thefhe 
responsibilities of the first line of defence may nelude 
de ig o! incicators,—Geteraining oo 
effective —such—staff}—should include:be—given—sHficient 
empowerment—and resources —_to—carry —_out_their 

ibilitiog. 

identifying and assessing the materiality of 
operational risks inherent in their respective 
business units through the use of operational risk 
management tools; 

b establishing appropriate controls to mitigate 
inherent operational risks, including business- 
specific policies, processes, procedures and 
systems, and assessing the design and 
effectiveness of these controls through the use of 
the operational risk management tools; 


(c) reporting whether the business units lack adequate 
resources, tools and training to ensure identification 
and assessment of operational risks; 


d monitoring and reporting the business _units’ 
operational _risk _ profiles, and ensuring _ their 
adherence to the established _operational _risk 
appetite and tolerance statement; and 


e reporting residual operational risks not mitigated b 
controls, including operational loss events, control 


deficiencies, process inadequacies, and _non- 
compliance with operational risk tolerances. 





5.2 OperationalAn-eperational risk management function (second 
line of defence) 


5.2.1 _It has become a leading practice of banks to establish a 


CORF central operationalisk management function (at the 


group and/or corporate level) in a similar manner to 
institutional credit and market risk functions. The key role 
of the function is to assist seniorthe management in 
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meeting their responsibility for understanding and 
managing operational risk and to ensure the development 
and consistent application of operational risk policies, 
processes and procedures (see section 7) throughout the 
institution. In so doing CORF# performs a number of roles 
including: 


(a) developing and maintainingsetting corporate-level 
policies——arnd procedures and guidelines 
foreerAcerning operational risk management and 
controls; 


(b) designing and implementing the _ institution’s 
operational risk assessment methodology tools and 
risk reporting system; 


(c) developing an -independent view _ regarding 
business _unit’s identified material operational 
risks, (ii) design a effectiveness of key controls, 
and (iii) risk tolerance; 


—challenging the relevance and consistency of the 
business unit's implementation of the 
operationalee-erdinating risk management tools, 

measurement activities andacress the organisation: 


(d) _c¢ernseldated reporting systems, and providing 


evidence that such challenge is conducive to the 
evaluation of its effectiveness: 





e establishing unified classification, methodology and 
procedures of operational risk; 
fd}(f) reviewing and contributing to the monitoring and 


reporting of the operational risk profile to the Board 
and senior management; 


(g) working alongside _other _relevant _functions _to 
manage and address any risks that threaten the 
delivery of critical operations and coordinating 
business continuity planning, third-party 
dependency management, recovery and resolution 
planning and other relevant_risk management 


frameworks to strengthen operational resilience 
across the institution; 


fe}(n) designing and providing operational risk 
management training, including to instill risk 
awareness, and advising the business units on 
operational risk management issues, e.g. 
deployment of operational risk tools; and 
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i) liaising with internal and external audits. 


5.2.2 The managers of the CORF should be of sufficient stature 


5.2.3 


within the Al to perform their duties effectively. Ideally, 
they are assigned a title that is commensurate with other 
risk management functions such as those on credit, market 
and liquidity risks. 

The HKMA recognises that Als operate in different ways 
and are using different operational risk management 
structures and methodologies. Therefore, it does not 
propose to prescribe a formal definition foref ar 
independent CORFeperationalisk managementfunction. 
However, in-developing their-own organisational structures 

Als should in any case 


for operational risk management- 
have a policy which clearly defines theeersider Rew the 
statures, roles and; responsibilities of the CORF 


— ancl orecedures of dHereatsciettirctioas aia 

the sizestructures—can—ensure_both_consistency and 

complexity of their operations.cempletenessin their overall 
EEA i 





5.2.4 In general, the CORF in larger Als is expected to have a 


reporting structure independent of the risk-generating 
business units and be responsible for the design, 
maintenance and ongoing development of the ORME 
within the Al. For smaller Als, independence of the ORMF 
may be achieved through separation of duties and 
independent review of processes and functions. 


5.2.5 In practice, the internal audit function in some Als the 


526 





Seecee | ele mereg enen se kp 
effective if its role is performed_by—an_independent_tisk 

j j j insti may have 
initial responsibility for developing an operational risk 
management programme. Where this is the case, Als 
should see_to it that responsibility for day-to-day 
operational risk management is transferred elsewhere in a 
timely manner. This is to ensure that the independence of 
internal audit is maintained. 





In the case of a branch, subsidiary, or individual business 
units of an _Al Ala—bank with a CORFeentralised— isk 

at the group and/or corporate level, 
there shouldwi usually be dedicated operational risk staff 
at the branch, subsidiary or business units to assure 
consistency of policy and tools, as well as to report results 
and issues. 
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5.2.7 _ As appropriate, the ORMF documentation should clearly 
reference the relevant operational risk management 
policies and procedures. 


5.3 Other operational risk related functions 


5.3.1 _ The CORE typically engages relevant corporate control 


groups to support its assessment of the operational risks 
and controls. There are a number of other operational risk 


related staff functions within an Al that should play a 
supporting role to CORF _in the operational risk 
management of an Al. These include specialist 
departments of such—aslegal and compliance, human 
resources, |CTinfermatierntechnelegy, and finance, etc., 
which should be responsible for some specific aspects of 
operational risk and the related issues, e.g. the human 
resources function should be a key participant in the 
management of “people” risk, rather than merely playing 
the role of sharing of information and providing of expert 
advice. These other operational risk related functions 
should on the one hand be responsible for managing the 
operational risk in their own area, and on the other hand 
provide support to other parties within the organisational 
structure for operational risk management. 


5.4 oo assurance (third line of defence)Role_of internal 


5.4.1 /nternal-auditThe Board should be _providedprevide—an 


independent assurance regarding the appropriateness of 
an Al's ORME. The relevant_assessment should be 
performed by parties such as the internal auditors, external 
auditors or other suitably qualified independent_third 
parties, who are not involved in the development, 
implementation and day-to-day ef the—operational risk 
management processesframewerk—including or the 
operation sfunctioning of the other two lines of defence. 


+ | 





should not have—direct operational tisk_management 
respensibitties. Als should have in-stace-adequate audit 
coverage to verify that operational risk management 
policies and procedures have been implemented 
effectively across the Al. The Board (either directly or 
indirectly through its audit committee) should ensure that 
the scope and frequency of the audit programme is 
appropriate to the risk exposures.Anyeperatcnatlissues 
identified and reported inthe audit process should be 
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addressed by senior management in a timely and effective 
appropriate. 

5.4.2 An effective independent assessment should: 
a review the design and implementation of the 


operational risk management systems and 
associated governance processes through the first 
and second lines of defence (including the 
independence of the second line of defence); 


(b) review validation’? processes to ensure they are 
independent __and_implemented_ in a manner 
consistent with established policies; 


(c) ensure that business unit management promptly, 
accurately and adequately respond to the issues 
raised, and regularly report to the Board or its 


relevant committees on pending and closed issues; 
and 


(d) opine on the overall appropriateness and adequacy 
of the ORMF and the associated governance 
processes across the Al, including whether the 
ORMF meets organisational needs and 
expectations (such as in respect of the corporate 
risk appetite and tolerance, and adjustment of the 
framework to changing operating circumstances 
and complies with statutory and_legislative 


provisions, contractual arrangements, internal rules 
and ethical conduct. 


5.4.3 Any operational issues identified and reported in the 
assessment process should be addressed by senior 
management in a timely and effective manner, or raised to 
the attention of the Board, as appropriate. 


5.4.4 As appropriate, the CORF should assess and propose 


control measures to manage the operational risk inherent 
in the third line of defence. 














13 Validation is critical for a well-functioning ORMF in that it ensures that the quantification systems 
used by an Al are sufficiently robust and provide assurance of the integrity of inputs, assumptions, 
methodologies, processes and outputs, resulting in assessments of operational risk that credibly 
reflect the operational risk profile of the Al. 
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6. Operational risk management strategy, policies and 
procedures 


6.1 Strategy 


6.1.1 Operational risk management begins with the 
determination of the overall strategies and objectives of an 
institution. Once determined, the institution can identify the 
associated inherent risks in its strategy and objectives, and 
thereby establish an operational risk management 
strategy. Responsibility for defining the operational risk 
management strategy, and for ensuring it is aligned with 
overall business objectives, should rest with the Board. In 
doing so, the Board should provide clear guidance on the 
Al's risk appetite or tolerance, i.e. what risks the Al is 
prepared to take in pursuit of its business objectives and 
what risks are unacceptable. 


6.2 Policies 


6.2.1 An Al should document its policies for managing 
operational risk, setting out its strategy and objectives for 
operational risk management for all key underlying 
businesses and support processes and the processes that 
it intends to adopt to achieve these objectives. An Al’s 





6.2.2 An Al’s cerperate—policy for managing operational risk 
should include: 


(a) the definition of operational risk (see section 6.3) 
and operational loss for the institution, including the 
types of operational risk that are faced by the Al and 
its customers that the Al will monitor; 





data/information—_to—_be—included—_in_the—tisk 
managemenHepeors-ang 


(b)  the—organisational governance structure, which 
defines operational risk management roles, 
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responsibilities and reporting lines of the Board, 
committees 14 , senior management, risk 
management function, business line management 
and other operational risk related functions:- 


(c) the Al’s accepted operational risk appetite and 
tolerance; the thresholds, material activity triggers 
or limits for inherent operational risk (i.e. the risk 
before controls are considered) and residual 
operational risk (i.e. the risk exposure after controls 
are considered); and the approved risk mitigation 
strategies and instruments; 


(d) the tools for risk and control identification and 
assessment and the role and responsibilities of the 
three lines of defence in using them; 


e the approach to establishing and monitorin 
thresholds or limits for inherent and residual risk 
exposure and ensuring controls are designed, 
implemented and operating effectively: 


(f) the inventory risks and controls implemented by all 
business units (e.g. in a control library): 


(g) a common taxonomy of operational risk terms (see 
further elaboration in para. 6.3.1); 


(h) an outline of the management reporting framework 
for producing timely and accurate data/information 
and the types of data/information to be included in 
the risk management reports; 


(i) a mechanism for independent review and challenge 
of the outcome of the operational risk management 
process; and 


(i) a requirement that the policy will be reviewed and 
revised as appropriate based on continued 
assessment of the quality of the control 
environment addressing internal and_ external 
environmental changes or whenever a material 


change in the operational risk profile of the Al 
occurs. 


6.2.3 The—corperate policy should be supported by a set of 
principles that apply to specific components of operational 
risk, such as new customer approval, new product 


| approval, |CTRew infermatentechnclegy 44) systems 


| 14 Mandates and memberships of the relevant committees should also be available. 
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approval, outsourcing, business continuity planning, crisis 
management, and money laundering (see para. 7.4.7 for 
further guidance). 


6.2.4 Business unitime management isare responsible for 
managing risks in atheir particular business unit. 
Therefore, it istheyare required to develop supplementary 
policies and procedures specific to itstheir business, based 
on and in consistence with the corporate operational risk 
management policy. 


6.3 Definition of operational risk 


6.3.1 _In order to be able to efficiently identify, assess, monitor 
and report operational risk within an Al, it is necessary to 
define the underlying components of operational risk-for 


censistentuse-acress the organisatiern._|n this connection 
a common taxonomy of operational risk terms should be 
provided in the policy to ensure consistency of risk 
identification, exposure rating and_risk management 
objectives across all business units'®. The taxonomy 
should distinguish operational risk exposures by event 
types, causes, materiality and business units where they 
occur. It should also flag those operational exposures that 
partially or entirely represent legal, conduct, model, ICT 
(including cyber) risks as well as exposures in the credit or 
market risk boundary. 


6.3.46.3.2 The definition of operational risk should consider the 
full range of material operational risks facing the institution 
and capture the most significant causes of severe 
operational losses. A formal and detailed definition is also 
essential for improving communications, setting 
accountability, characterising and accumulating events for 
modelling and analysis, and consistently sharing 
experiences and ideas. 


6.3.26.3.3 The BCBSBaselCeommittee defines operational risk 
by referring to the four underlying causes of operational risk 
— process, people, systems and external events (or 
environment) (see para. 1.1.2). The definition seeks to 
delineate operational risks from other risks by referring to 
key internal and external aspects of a bank’s operations 
that, alone or in combination, can cause operational losses. 
The following table provides an example of risk cause 








15 An inconsistent taxonomy of operational risk terms may increase the likelihood of failure to identify 
and categorise risks, or failure to allocate responsibility for the assessment, monitoring, control and 
mitigation of risks. 
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categories under each of the four underlying causes of 


operational risk: 





Risk Cause Factors 


Risk Cause Categories 





Process 


e Inadequate / inappropriate 
guidelines, policies & 
procedures; 

e Inadequate / failure of 
communication; 

e erroneous data entry; 

e inadequate reconciliation; 

e poor customer / legal 
documentation; 

e inadequate security control; 

e breach of regulatory & 
statutory provisions / 
requirements; 

e inadequate change 
management process; and 

e inadequate back up / 
contingency plan 





People 


e breach of internal guidelines, 
policies & procedures; 

e breach of delegated authority; 

e criminal acts (internal); 

e inadequate segregation of 
duties / dual controls; 

e inexperienced staff; 

e staff oversight; and 
unclear roles & responsibilities 





System 


e inadequate hardware / 
network / server 
maintenance 





External 








criminal acts; 

vendor misperformance; 
man-made disaster; 
natural disaster; and 
political / legislative / 
regulatory causes 








6.3.36.3.4 Furthermore, to 


facilitate managing and measuring 


operational risks and assessing thethe potential impact; 


manybanks _have_adopted definitions with-categories of 
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operationalrisk events_ie—actual loss events, an Al should 
classify those ertess-events_ into predetermined event } 
and effects_tie—_thetypes. —of financial implications} to 
shpplemeni tac eopse cofceses The ace 
Committee has developed a matrix with seven broad 
categories of operational loss event types that are further 
broken down into sub-categories and related activity 
examples1& as set out in Annex. If an Al's internal 


classification system is different from that of the BCBS, it 
should document its criteria for mapping its internal 
classification with the broad event type categories (level 1) 
set out in the Annex. An Al should provide its loss data 
with mapping to the broad event types in the Annex to the 


HKMA for inspection upon request.Celection and analysis 
of operational loss-data_on the basis_of these loss_event 




















7. Operational risk management process 


7.1 Overview 


7.1.1 Als should have effective means precesses—andtoo!s_to 
regularly identify, assess, monitor and control the 
operational risk inherent in their material products, 
activities, processes and systems_in a timely manner, 


which should ensure that potential risks, threats and 
vulnerabilities that may affect critical operations delivery 
are prevented. Theysheuldtake Reasonable steps should 
be taken to ensure that these processes and tools the sk 
management systems—out in_olace to identify assess, 
pesos asc oasis operstonel ssk— 


are adequate and 








effective for the thatpurposes. 


7.2 Risk identification and assessment 


7.2.1 In order to better understand its operational risk profile and 
effectively target risk management resources, an Al should 
| identify the types of operational risks to whichrisk that it is 


16 See Basel consolidated framework OPE25.17 Table 2. 
See Annex 7—Detailed Loss Event Tyne Classification of Basel I. 
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exposed te-as far as reasonably possible and assess its 
vulnerability to these risks. It should identify and assess 
the operational risk inherent in all existing or new, material 
products, activities, processes and systems, based on its 
own definition and categorisation of operational risk. 
Effective operational risk identification and assessment are 
fundamental characteristicsprecesses—are_paramount for 
the—subsequentdevelopment of an_effectivea—wable 
operational risk managementmenitering—and—ecentro} 
system, and directly contribute to operational resilience 
capabilities. 


7.2.2 When identifying its operational risk, an Al should consider 
both internal and external factors that could adversely 
affect the achievement of the Al’s objectives, such as: 


(a) | the Al’s management structure, risk culture, human 
resource management practices, organisational 
changes and employee turnover; 


(b) the nature of the Als customers, products and 
activities, including sources of business, distribution 
mechanisms, and the complexity and volumes of 
transactions; 


(c) the design, implementation, and operation of the 
processes and systems used in the operating cycle 
of the Al’s products and activities; and 


(d) the external operating environment and industry 
trend, including political, legal, technological and 
economic factors, the competitive environment and 
market structure. 


7.2.3 Having identified the risks, Als need to define the 
appropriate approach to assessing each identified risk, 
estimate the probability that the identified risks will 
materialise by considering the causes of the risks, and 
assess their impact by referring to the potential effect on 
the realisation of corporate objectives. 


7.2.4 A number of tools are commonly used for identifying and 
assessing operational risk: 


(a) Event management (the process of identification, 
analysis, end-to-end management and reporting of 
an operational risk event that follows a_pre- 
determined set of protocols) — A sound event 
management approach typically includes analysis 
of events to identify new operational risks, 
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understanding the underlying causes and control 
weaknesses, and formulating an appropriate 
response to prevent recurrence of similar events. 
This information is an input to self-assessments 
(see (c) below) and, in particular, to the assessment 


of control effectiveness. 


(b) Operational risk event data _(a_ comprehensive 
operational risk event dataset that collects all 
material events experienced by an Al and serves as 
a basis for operational risk assessments) — The 
event dataset typically includes internal loss data 
and near misses. Event data is typically classified 
according to a taxonomy defined in the ORMF 
policies and consistently applied across the Al. 
Event data typically include the date of the event 
(occurrence date, discovery date and accounting 
date) and, in the case of loss events, financial 
impact. Where available, other root cause 
information for the events should ideally also be 
included in the operational risk dataset. Where 
feasible, Als should also seek to gather external 
operational risk event data and use the data in their 
internal analysis, as it is often informative of risks 


that are common across the industry. 


e Self-assessments (assessments of operational 
risks and controls on various different levels 


conducted by the Al) — The assessments typically 
evaluate inherent risk (the risk before controls are 
considered), the effectiveness of the control 
environment, and residual risk (the risk exposure 
after controls are considered) and contain both 
quantitative and qualitative elements. The 
qualitative element_reflects consideration of both 
the likelinood and consequence of the risk event in 
the bank’s determination of its inherent and residual 
risk ratings. The assessments may utilise business 
process mapping to identify key steps in business 


processes, activities, and organisational functions, 
as well as the associated risks and areas of control 


weakness. The assessments should contain 


sufficiently detailed information on the business 
environment, operational risks, underlying causes, 
controls and evaluation of control effectiveness to 
enable an independent reviewer to determine how 
the bank reached its ratings. A risk register can be 
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maintained to collate this information to form a 


meaningful view of the overall effectiveness of 
controls _and__ facilitate oversight by senior 
management, risk committees and the Board. 


(d) Control monitoring and assurance framework (a 
structured approach to the evaluation, review and 
ongoing monitoring and testing of key controls) — 
The analysis of controls ensures they are suitably 
designed for the identified risks and operating 
effectively. The analysis should also consider the 
sufficiency of control coverage, including adequate 
prevention, detection and response strategies, 


taking into account different operational risks across 
business areas. 


(e) Metrics (quantitative indicators developed using 
operational risk event data and risk and control 
evaluations to assess and monitor operational risk 


exposure 


— Metrics are 


rimarily selected 


operation/control indicators considered relevant for 
management tracking and escalation triggering. 
They may be simple indicators that are identified 
and periodically tracked by various functions of an 
institution, such as event counts, or outputs from 
more sophisticated exposure models as 
appropriate. The intention of metrics is to provide 
early warning information to monitor ongoing 
performance of the business and the control 
environment, and to report the operational risk 
profile, so that_management_can_act_on issues 
before they become major problems to an 
institution. _ Effective metrics clearly link to the 
associated operational _risks and controls. 
Monitoring metrics and related trends through time 
against agreed thresholds or limits provides 
valuable information for risk management and 
reporting purposes. 


f Scenario analysis (a method to identify, analyse 
and measure a range of scenarios, including low 


robabilit 


and high 


severit 


events e.g. 


pandemics, natural disasters, and _failures or 
disruptions at a third party or within the third party’s 
supply chain, etc.), some of which could result in 
severe operational risk losses) — Scenario analysis 
typically involves workshop meetings of subject 
matter experts including senior management, 
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business management and senior staff responsible 
for operational risk management _and_ other 
functional areas such as _ compliance, human 
resources and IT risk management, to develop and 
analyse the drivers and range of consequences of 
potential events. Inputs to the scenario analysis 
would typically include _relevant_internal__and 
external loss data, information from self- 
assessments, the control monitoring and assurance 
framework, forward-looking metrics, root-cause 
analyses and the process framework, where used. 
The scenario analysis process could be used to 
develop a range of consequences of potential 
events, including impact assessments for risk 
management purposes, supplementing other tools 
based _on_ historical data or current risk 
assessments. It could also be integrated with 
disaster recovery and business continuity plans, for 
use within testing of operational resilience (also see 
OR-2 “Operational Resilience”). Given _ the 
subjectivity of the scenario process, a robust 
governance framework and independent review are 
important to ensure the integrity and consistency of 
the process. 


(g) Benchmarking and comparative analyses 
(comparisons of the outcomes of different_risk 
measurement and management tools deployed 
within the Al, as well as comparisons of metrics from 
the Al to other firms in the industry) — Such 
comparisons can be performed to enhance 
understanding of the Al’s operational risk profile. 
For example, comparing the frequency and severity 
of internal losses with self-assessments can help 
the Al determine whether its self-assessment 
processes are functioning effectively. Scenario 
data can be compared to internal and external loss 
data to gain a better understanding of the severity 
of the Al’s exposure to potential risk events. 
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Disk Indi isk ine = 
inno , Man aea 


“tees sse eesHonFasseacdisetostead o-se 
reviewed—-on—a—periodic-basisHsuch-as-quarterly- 


momhbba—e—aeti sto chenge haimme 
indicative_of risk_concerns._Such_indicators_may 
cael F failed lee: f 
rates_and the frequency and/or severity of errors. 
7.2.5 Als should ensure that the operational risk assessment 
tools’ outputs are: 


(a) based on accurate data, whose integrity is ensured 
by strong governance and robust verification and 
validation procedures; 


(b) adequately taken into account in the internal pricing 
and performance measurement mechanisms as 


well as for business opportunities assessments; 
and 


(c) subject to CORF-monitored action plans or 
remediation plans when necessary. 


7.2.6 The operational risk assessment tools cited in para. 7.2.4 
can also directly contribute to an Al’s operational resilience 
approach. In particular, event management, _self- 
assessment and scenario analysis procedures allow Als to 
identify and monitor threats and vulnerabilities to their 
critical operations. Als should use the outputs of these 
tools to improve their operational resilience controls and 
procedures’8. 
































the_identification _of_centrol_gaps_and_consequently_the 








approprate_corrective actions to be taken fora—specitic 
statementto-accept the exposure}, with aclearindication 
thei ; ibilitv for impl Ba . 


18 These controls and procedures should be consistent with and conducted alongside the 
identification of threats and vulnerabilities as part of an Al’s operational resilience approach. 
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7.3 Risk monitoring and reporting 


7.3.1 Als should implement a process to monitor their 
operational risk profiles and material exposures to losses 
on an on-going basis. The process should include both 
qualitative and quantitative assessment of an Aľs 
exposure to all types of operational risk, assessing the 
quality and appropriateness of corrective/mitigation 
actions, and ensuring that adequate controls and systems 
are in place to identify and address problems before they 
become major concerns. It should be appropriate to the 
scale of risks and activities undertaken by the Al. 
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7.3.2 In monitoring its operational risks, an Al should make use 


of appropriate metrics (referred to in paragraph 7.2.4(e)). 
idontif PE : indi ies id 


g y g i 
(often_referred to_as—“key tisk indicators” (KRIs}} _KRIs 
Pee Alecia id ih lieti 


inf , rofi ial Eda 
SOIR GHA SAEGE GAL EGH ASLOHISSHES before hey EGOS 
oe weil = eee i KRIS P a 
identified and-being tracked by various functions of a- bank 


See ce be ee eee oe ole os 
managementHracking and escalation tiggering_By setting 
appropriate “goals or limits” or “escalation triggers” to 
KRłsthe metrics, monitoring of the KRlsmetrics can 
provide early warning of an increase in operational risk or 
a breakdown in operational risk management and facilitate 
communication of potential problems to a higher level of 
management. 

















7.3.3 Risk monitoring should be an integrated part of an Al’s 
activities, the frequency of which should reflect the risks 
involved in an Al’s activities as well as the pacefrequency 
and nature of changes in the operating environment. 


7.3.4 The results of an Aľs monitoring activities, 
assessmentsfindings of the ORME j j 
performed by internal/external audit and/or the risk 
management function, management letters issued by 
external auditors, and reports generated by supervisory 
authorities, as appropriate, should be included in regular 
reports to the Board and the senior management to 
support proactive management. 


7.3.5 An Al should be able to produce timely reports in both 
normal and stressed market conditions'’. The reports 
should be comprehensive, accurate, consistent and 
actionable across business units and products. To this 
end, the first line of defence should ensure reporting on 
any residual operational risks, covering operational risk 
events, control deficiencies, process inadequacies, and 
non-compliance with operational risk tolerances. Reports 
should be manageable in scope and volume by providing 
an_outlook_on_the Al’s operational risk profile and 
adherence to the operational risk appetite and tolerance 


18 Reporting should be consistent with the BCBS’s Principles for effective risk data aggregation and 
risk reporting (https:/Awww.bis.org/publ/bcbs239.pdf). 
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statement. Effective decision-making is impeded by both 
excessive amounts and paucity of data. 


7.3.8/.3.6 _In general, the Board should receive sufficient high- 
level information to enable them to understand the Al’s 
overall operational risk profile and focus on the material 
and strategic implications for the business. 


7.3.7 Generally, the management reports should describe the 
operational risk profile of an Al by providing centain 
relevantinternal financial, operational, and compliance 
indicatorsdata, as well as external market or environmental 
information about events and conditions that are relevant 
to decision making. They should aim to provide 
information such as: 


(a) the erticalkey and emerging operational risks 
facing, or potentially facing, the institution (e.g. as 
shown in KRismetrics and their trend data, changes 
in risk and control self-assessments, comments in 
audit/compliance review reports, etc.); 





e——major internal operational risk eventsdess 


experience, issues identified and losses (including 
root causes, intended remediatactions: 


(b) the status and/or effectiveness of remedial actions 
taken); and 


(Cc) relevant external events or regulatory changes, and 
any potential impact on the Al; and 


{e\(d) exception reporting (covering, among others, 
authorized and unauthorized deviations from the 
Al’s operational risk policy (including in terms of risk 
appetite and risk tolerance) and likely or actual 


breaches in predefined thresholds, limits or 


qualitative requirements for operational exposures 
and losses). 


#367.3.8 Data capture and risk reporting processesRepers 
should be analysed periodically with the goal of enhancing 
riska wewte improving existing management performance 
as well as advancingdeveleping_-new risk management 
policies, procedures and practices. 


7.3.7/7.3.9 To ensure the usefulness and reliability of the reports 
received, management should regularly verify the 
timeliness, accuracy, and relevance of reporting systems 
and internal controls in general. 


7.3-87.3.10 Als may consider keeping track of the information 
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provided in the reports, particularly the loss data, to 
establish a framework for systematically tracking and 
recording the frequency, severity and other relevant 
information on loss events. 


7.4 Risk control and mitigation 


7.4.1 A critical element to an Al’s control of operational risk is the 
existence of a sound internal control system. When 
properly designed and consistently enforced, a sound 
internal control system will help management ensure the 
efficiency and effectiveness of the operations, safeguard 
the institution's resources, produce reliable financial 
reports, and comply with laws and regulations. Sound 
internal controls will also reduce the possibility of 
significant human errors and irregularities in internal 
processes and systems, and will assist in their timely 
detection when they do occur. 


7.4.2 For all material operational risks that have been identified, 
the Al should decide whether to use appropriate policies, 
processes, procedures and systems to control and/or 
mitigate the risks, or bear the risks. For those risks that 
cannot be controlled or mitigated, the Al should decide 
whether to accept these risks, reduce the level of business 
activity involved, or withdraw from this activity completely. 


7.4.3 A sound internal control programme consists of risk 
assessment, activities | monitoring © and __control, 
communication and information®°, which are also integral 
components of the risk management process. Typical 
practices to control operational risk in an Al include: 


(a) clearly established authorities and/or processes for 
approval; 


(b) segregation of duties - te-aveid-a-conflict of interest 
in the responsibilities of individual staff (which can 
facilitate concealment of losses, errors or 
inappropriate actions) should be identified, avoided 
or minimized to the extent possible. _Conflict_of 
interest that cannot be avoided in practice should be 
subject to dual controls (e.g. a process that uses 
two or more separate entities/persons operating in 
concert to protect sensitive functions or information) 
or other countermeasures, independent monitoring 


20 Management should make clear the internal control requirements to individual functions, which in 
turn provide information and feedback to enhance the control requirements on an ongoing basis. 
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and review to guard against concealment of losses, 
errors or other inappropriate actions; 


close monitoring of adherence to assigned risk 
limits or thresholds and investigation into breaches; 


maintaining -safeguards for access to, and use of, 
bank assets and records; 


appropriateness of ensuringthatstaff level have 
apprepriate—expertise—and training to maintain 
technical expertise; 


ongoing processes to identifyidentit¥iag business 
lines or products where returns appear to be out of 


line with reasonable expectations (e.g. where a 
supposedly low risk, low margin trading activity 
generates high returns that could call into question 
whether such returns have been achieved as a 
result of an internal control breach);-and 


regular verification and reconciliation of 
transactions and accounts-; and 


vacation policy that provides for officers and 
employees being absent from their duties for a 
period of not less than two consecutive weeks, or 
another period commensurate with the role of the 
employee and the risk profile / complexity of the Al. 


7.4.4 The control processes and procedures should include a 
system for ensuring compliance with the policies 
regulations and laws.Als-sheuld have-pelicies_precesses 

and procedures to control and/or mitigate operational risks. 


toe-seouic-ateebevessystemin pecs tot eHenrag 
compliance with_adocumented_set of internal policies 
SS 60-546 oe EO 





Principle 


elements of this could include, for example: 


(a) 
(b) 
(c) 


top level reviews of the Al’s progress towards the 
stated objectives; 


verification _ofeheekiag—ter compliance with 


management controls; 


review of the; treatment and resolution of instances 
of non-compliancessuyes;-and 


(d) evaluation of the requireda-systemof documented 


approvals and authorizations to ensure 
accountability to an appropriate level of 
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management; and- 


(e) tracking of reports for approved exceptions to 
thresholds or limits, management overrides and 
other deviations from policy, regulations and laws. 


74.27.4.5 Als should ensure that the risk management control 
infrastructure keeps pace with growth or changes in the 
business activity (e.g. new products, operations in 
branches/subsidiaries remote from head office, and entry 
into unfamiliar markets). 


7.4.6 Control process and procedures should be consistent with 
the Al’s operational resilience approach so that through the 
due diligence exercised by respective functions (i.e. the 


three lines of defence), the operational resilience of the Al 
can be maintained in both normal circumstances and in the 


event of disruptions. 


7.4.7 Als’ operational risk will particularly be driven by the 
following factors and therefore Als should have relevant 
policies and procedures to control their exposures: 


(a) _ New products_and activitiesChange initiatives 
Operational risk can be more pronounced where 


banks-Als initiate changes, such as engaginge in 
new activities or developing new products/services, 
entering into unfamiliar _ markets/jurisdictions, 
implementing new or modified business processes 
or technology systems, and/or engaging _in 


businesses that are geographically distant from the 
head office. particularly where these _activities_or 


eteciicic ore_pet cons siesta ae Ae sone. 
business_strategies.—Therefore, Als should have 
policies and procedures defining the process for 
identifying, managing, challenging, approving and 
monitoring change, and i#-place-whieh-set cut the 
standards—and—describinge the roles and 
responsibilities for parties involved in the change 
the Als’ new product approval 
process. The policies should set out objective 


criteria_with respect to the approval of change 
initiatives. 








The purpose is to ensure that new -business-c change 
initiatives 

are introduced in a controlled fashion and that 
business units and support functions are fully 
prepared to cope with the proposed newbusiness 
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erchanges-te-existing_business. In addition, Als 
should leverage on their change management 
capability as a way to assess potential effects of 
planned changes to any underlying components for 
the delivery of critical operations and_on_their 
interconnections and interdependence. 


See section 8.1 for further guidance on the change 


management process and section 4.3 of Please see 
IC-1 “Generalt—Risk Management 


GentrelsFramework” for seme-general guidance on 
the controls over new products/services. 


(b) Use of ahg ao are pera o at 
The policy should aim to ensure that the high-risks 
issues—in—tFassociated with the use of ICT are 
addressed through adequate ICT governance and 
f-controls, including security management, system 
development and change management, 
information processing, communications network 
and management of technology service providers. 
Please refer to TM-G-1 “General Principles for 
Technology Risk Management” for guidance on 
general principles and section 8.2 below for further 
guidance on whiGh-Als-are-expectedto-considerda 
managing—techneology-related—isksICT_ risk 
management. 


(c) E-banking services 


The risk management of e-banking is an integral 
part of the Al’s technology risk management and 
should cover controls, among others, related to 
authentication of customers, confidentiality and 
integrity of information, application security, internet 
infrastructure and security monitoring, and 
customer security such as preverntive—controls 
relating to fakefraudulent bank websites, phishing 
e-mails or websitessimilar scams. Please refer to 
TM-E-1 “Supervision—Risk Management of E- 


banking” for general guidance on generatprinciples 
for risk -management of e- banking. 


(d)  OutseurcingThird-party dependencies 


While resorting to entities such as third party service 
providers can help manage costs, provide 
expertise, expand product offerings and improve 
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services, it also introduces risks. The Board and 


senior management should understand such risks 
and ensure that proper policies and procedures are 
in place to address the risks associated with third 
party service providers whether there exists an 
outsourcing arrangement or the Al is otherwise 
relying on the service providers to carry out its 
operations. For outsourced activities, tFhe risk 
management process ef eutseurcing-should cover 
a comprehensive risk assessment of the proposed 
outsourcing arrangement in the light of the 
importance and criticality of the activities to be 
outsourced, concentration of risk, complexity of the 
outsourcing, due diligence on the service provider, 
controls over outsourced activities and contingency 
planning. Please refer to SA-2 “Outsourcing” on the 
major points which the HKMA recommends Als to 
address when considering to outsourceisg their 
activities. Moreover, an Al should take into account 
the access right of the resolution authorities in its 
outsourcing arrangements. The risk management 
policies and activities of the service providers 
concerned in outsourcing should be consistent with 
and conducted alongside the critical operations 
management _and dependency management_for 
operational resilience. For other types of third party 
dependencies, an Al should consider the need for 
adopting similar risk management processes as 
detailed above having regard to the risks involved. 


(e) Money laundering 


Als should have policies, procedures and controls 
for the fight against money laundering and terrorist 
financing based on the principles of know your 
customer, compliance with laws, co-operation with 
law enforcement agencies, and on-going staff 
training. Please see AML-1 “Supervisory Approach 
on Anti-Money Laundering and Counter-Financing 
of Terrorism” for guidance on managing money 
laundering and terrorist financing risks.Fo-give Als 
id eee lici eal 
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(f) Suitability of customers 


Als should have policies and procedures for 
identifying customers whom they consider suitable 
for selling certain sophisticated, high risk products. 
The targeted customers should be considered as 
capable of understanding and bearing the potential 
financial risks that may #searise from such 
products. 


(g) Overseas branches/subsidiary offices 


The operating systems and processes of overseas 
branches or subsidiaries may change the 
operational risk profile of Als. Therefore, Als should 
understand the impact of any differences in 
processes and systems at each of their overseas 
branches and subsidiaries, and develop appropriate 
controls over their operations. 


(h) Customer data privacy 


As stated in the Code of Banking Practice, Als 
should comply with the Personal Data (Privacy) 
Ordinance in the collection, use and holding of 


customer information.-erdetaisoHthe—principles 
oncustomerdata_orivacy, please refer to Guideline 
Snes ocsss oe ess 





(i) External documentation 


External documentation refers to documents that 
are produced by Als and provided to customers and 
counterparties or third parties, e.g. contracts, 
transaction statements, or advertising brochures. 
The presence of inappropriate or inaccurate 
information in these documents can lead to legal 
risk and operational risk. 


Als should have adequate processes and systems 
to review external documentation prior to issuance. 
This may include the consideration of: 


° compliance with applicable regulatory and 
legal requirements; 


° the extent to which the documentation uses 
standard terms or non-standard terms; 


° the channels or ways in which the 
documentation is issued; and 
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° the extent to which confirmation of 
acceptance is required. 


7.4.8 _In circumstances where internal controls do not adequately 
address risks and exiting the risk_is_not a reasonable 
option, senior management can complement controls by 
seeking to transfer the risk to another party Als-cantransfer 


through risk mitigation products such as insurance. 
However, Als should not view risk mitigation tools as a 
replacement for internal operational risk controls. Careful 
consideration also needs to be given to the extent to which 
risk mitigation tools such as insurance truly reduce risk, or 
transfer the risk to another business sector or area, or even 
create a new risk (e.g. legal or counterparty risk). The 


Board should determine the maximum loss exposure the 
Al is willing and has the financial capacity to assume, and 
should perform an annual review of the Al’s risk and 


insurance management programme. While the specific 
insurance or risk transfer needs of an Al should be 


determined on an individual basis, consideration should 
always be given to applicable regulatory requirements. 





8. Specific aspects of operational risk management 


8.1 Change management 


8.1.1 Change management should assess the evolution of the 
risks associated with the change initiatives of the Al (such 
as those referred to in para.7.4.7(a)) across time, from 
inception to termination (e.g. throughout the full life cycle 
of a product). The policies and procedures on change 
management should define the process for identifying, 
managing, challenging, approving and monitoring change 
on the basis of agreed objective criteria. Change 
implementation should be monitored by specific oversight 
controls. Change management policies and procedures 
should be subject to independent and regular review and 
update, and clearly allocate roles and responsibilities in 
accordance with the three lines of defence model, in 


particular: 


(a) the first line of defence should perform operational 
risk_and control assessments of new products, 
activities, processes and systems, including the 
identification and evaluation of the required change 
through the decision-making and planning phases 
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to_the implementation and_post-implementation 
review. 


b the second line of defence (i.e. CORF) should 


challenge the operational risk and _ control 
assessments of first line of defence, as well as 


monitor the implementation of appropriate controls 
or remediation actions. CORF should cover all 


phases of this process. In addition, CORF should 
ensure that all relevant control groups (e.g. finance 
compliance, legal, business, ICT, risk management) 
are involved as appropriate. 


8.1.2 An Al should have policies and procedures for the review 
and approval of its change initiatives, covering: 


(a) inherent risks including legal, ICT and model risks 
(especially when outsourcing is involved); 


(b) changes to the Al’s operational risk profile, appetite 
and _ tolerance, including changes to the risk of 
existing products or activities; 


€ necessary controls, risk management processes 
and risk mitigation strategies; 
d residual risk; 


(e) changes to relevant risk management thresholds or 


limits; and 


(f) the procedures and metrics to assess, monitor and 
manage risks. 


8.1.3 The review and approval process should include ensuring 
that appropriate investment has been made for human 
resources and technology infrastructure before changes 
are introduced. Changes should be monitored, during and 
after their implementation, to identify any material 
differences to the expected operational risk profile and 
manage any unexpected risks. Controls and procedures 
for identifying and assessing threats/vulnerabilities and 
operational risk should be assessed to ensure that they 
remain effective after a change to any underlying 
components of critical operations. 


8.1.4 To facilitate the monitoring of changes, Als should maintain 
a central record of their products and services (including 
outsourced functions or activities) to the extent possible. 


8.1.5 Als should also see section 4.3 of IC-1 “Risk Management 
Framework” for general guidance on risk management 
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relating to new products and services. 
8.2 Information Communication and Technology 


8.2.1 There are inherent risks and benefits in the application of 
ICT in the operations of Als. While automated processes 
are less prone to error than manual processes, they 
introduce risks that_must be addressed through sound 
technology _ governance _and___infrastructure risk 
management programmes. In addition, the use of 
technology related products, activities, processes and 
delivery channels exposes an Al to operational risk and 
possibility of material financial loss. Consequently, Als 
should have an_integrated approach to ICT risk 
management under their ORMF. ICT risk management 
should ensure effective ICT performance and ICT security, 
contributing to an effective operating and control 
environment essential for achieving the Als’ strategic 
objectives. Sound ICT risk management reduces Als’ 
operational risk exposure to direct losses, legal claims, 
reputational damage, ICT disruption and misuse _of 
technology in alignment with its risk appetite and tolerance 


statement. 


8.2.2 To ensure the confidentiality, integrity and availability of 
data_and system, the Board should regularly oversee the 
effectiveness of the Al’s ICT risk management and senior 
management should routinely evaluate the design, 
implementation and effectiveness of the Al’s ICT risk 
management. This requires regular alignment of the 
business, risk management and ICT strategies to ensure 
consistency with the Al’s risk appetite and tolerance 
statement_as well as with privacy and other applicable 


laws. 


8.2.3 Effective ICT risk management should include the 


following processes: 
a defining ICT risk; 


b identifying the operations which are exposed to ICT 
risk and assessing the magnitude of the risk 


exposure (e.g. high, medium, low); 


È implementin ICT risk mitigation measures 
consistent with the assessed risk level. Common 
measures include cybersecurity, response and 
recovery programmes, ICT change management 
processes, ICT incident management processes 
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including relevant information transmission to 


users on a timely basis): 


d monitoring the effectiveness of mitigation measures 


(including regular tests); 


(e) regular reporting of ICT risks, controls and events to 


senior management. 


8.2.4 ICT _risk_management _together with complementing 


processes set by Als should: 


(a) be reviewed on a regular basis for completeness 
against relevant industry standards and_ best 
practices as well as against evolving threats (e.g. 
cyber) and evolving or new technologies; 


(b) be reqularly tested to identify gaps against stated 
risk tolerance objectives and facilitate improvement 
of the ICT risk identification, protection, detection 


and event management; and 


é make use of actionable intelligence to continuous! 


enhance their situational 


awareness of 


vulnerabilities to ICT systems, networks and 
applications and facilitate effective decision making 


in risk or change management. 


8.2.5 Als should develop approaches to ICT readiness for 
stressed scenarios from disruptive external events, such 
as the need to facilitate the implementation of wide-scale 
remote-access, rapid deployment of physical assets and/or 
significant expansion of bandwidth to support remote user 
connections and customer data protection. __In _this 


connection, Als should ensure that: 





a appropriate risk mitigation strategies are developed 


for potential risks associated with a disruption or 
compromise of ICT systems, networks and 
applications. Als should evaluate whether the risks, 
taken together with these strategies, fall within their 


risk appetite and risk tolerance; 


b well defined processes for the management of 
privileged users and application development are in 


place; and 


G regular updates are made to ICT including cyber 
security in order to maintain an appropriate security 


posture. 


8.2.6 Please also refer to TM-E-1 “Risk Management of E- 
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banking” and TM-G-1 “General Principles for Technology 
Risk Management” for relevant guidance. 


8.3 Business continuity management and disaster recovery plan 
8.3.1 All Als should have in place formal contingency and 


business continuity plans (BCP)?! to ensure their ability to 
operate on an ongoing basis and limit losses in the event 


of severe business disruption. he-management should 
iodicall hat 4 
with the Al's current operations and business strategies. 


Moreover hese pans shohe be estes Sehocehy ie 
ensure that the Al would beable to-execute the plans in 
the-darkeb event ota severe SUSHeSS-CHSEESHOR, o 
approval and subsequent reviews of the BCP by the Board 
should ensure that contingency strategies remain 
consistent with current operations, risks and threats and 
the Al’s ORMF. A sound BCP requires the commitment of 
the first and second lines of defence to its design, strong 
involvement of senior management_and_ business unit 


leaders in its implementation and regular review by the 
third line of defence. 


8.3.2 Moreover, the BCP should be forward looking in the 
disruption scenarios, with relevant impact assessments 
and recovery procedures: 


(a) the BCP should be based on scenario analyses of 
potential disruptions to the Al’s operations. For the 
purpose of the analyses, all business units as well 
as Critical service providers and major third parties 
(e.g. central banks, clearing house) of the Al should 
be covered, and critical business operations and 
key internal and external dependencies be 
identified and categorised; 


(b) each scenario should be subject to a quantitative 
and qualitative impact_assessment_or_ business 
impact analysis with regard to its financial, 


operational, legal and reputational consequences; 
and 


(c) disruption scenarios should be subject to thresholds 
or limits (such as maximum tolerable outage) for the 
activation of business continuity procedures. These 
procedures should address resumption aspects, set 








21 Business continuity planning should be consistent with and conducted alongside the same and the 
testing of critical operations as specified in the relevant guidance set out in OR-2. 
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recovery time objectives and _recovery point 
objectives as well as communication guidelines for 
informing management, employees, regulatory 
authorities, customers, suppliers and where 
appropriate, civil authorities. 


8.3.3 An Al should provide customised training and awareness 
programmes to its staff_ based on their specific roles to 
ensure that they can effectively execute contingency plans. 
Business continuity procedures should be _ tested 
periodically to ensure that recovery and resumption 
objectives and timeframes can be met in the unlikely event 
of a severe business disruption. Where possible, an Al 
should participate in business continuity testing with key 
service providers. Results of formal testing and review 


activities should be reported to senior management and 
the Board. 


8.3.4 Please also refer to JM-G-2 “Business Continuity 
Planning” for the sound practices which the HKMA expects 
Als to takeadopt in their business continuity planning. 





9. Disclosure 


9.1 The regulatory disclosure requirements (including in relation to 


operational risk exposures and operational risk management) that 
Als are required to comply with are specified in the Banking 
(Disclosure) Rules (Cap 155M). These Rules are supplemented by 


interpretative guidance contained in CA-D-1 “Guideline on the 
Application of the Banking (Disclosure) Rules”. 


9.2 Outlined below are a few general principles that Als are expected to 
follow in particular to enable its stakeholders to assess its approach 
to operational risk management and its operational risk exposure: 


a an Al should publicly disclose information on its operational 


risk management. The amount and type of disclosure should 
be commensurate with the size, risk profile and complexity of 
the Al’s operations, and should take into account evolving 
industry practices; 


b an Al should also disclose relevant operational risk exposure 
information to its stakeholders (includin significant 


operational loss events?) while not creating operational risk 


through this disclosure (e.g. description of unaddressed 
control vulnerabilities). An Al should disclose its ORME ina 


22 The recommendation to disclose significant operational loss events does not include disclosure of 
confidential and proprietary information, including information about legal reserves. 
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manner that allows stakeholders to determine whether the Al 


identifies, assesses, monitors and controls/mitigates 
operational risk effectively; and 


(c) an Al should have a formal disclosure policy that is subject to 
regular and independent review and approval by the senior 
management and the Board. The policy should set out the 
Als’ approach for determining what _operational _risk 
disclosures they will make and the internal controls over the 
disclosure process. _In addition, Als should implement a 
process for assessing the appropriateness of their 
disclosures and disclosure policy. 
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Annex: Detailed loss event t 


e classification 





Event-type 
category 
(Level 1) 


Definition 


Categories 
(Level 2) 


Activity examples 
(Level 3) 





Internal 
fraud 


Losses due to 
acts of a type 
intended to 
defraud, 
misappropriate 
property or 
circumvent 
regulations, the 
law or company 
policy, excluding 
diversity/ 
discrimination 
events, which 
involves at least 
one internal. 


party 


Unauthorised 
activity 


e Transactions not 


reported (intentional) 
e _[ransaction type 
unauthorised (with 
monetary loss) 
e _Mismarking of position 
(intentional) 





Theft and fraud 


e__ Fraud / credit fraud / 


worthless deposits 
e Theft/ extortion / 
embezzlement / robber 


e Misappropriation of 
assets 


e Malicious destruction of 
assets 


e Forgery 

e Check kiting 

e Smuggling 

e Account takeover / 
impersonation etc 

e Tax non-compliance / 
evasion (wilful) 

e Bribes / kickbacks 

e Insider trading (not on 
firm’s account) 





External 
fraud 





Losses due to 
acts of a type 
intended to 
defraud, 
misappropriate 
property or 
circumvent the 
law, by a third 
party 


Theft and fraud 


e Theft / robbery 
e Forgery 


Check kitin 








Systems 
security 
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e Theft of information 


(with monetary loss) 
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Definition 


Categories 
(Level 2) 


Activity examples 
(Level 3) 





Employment 
practices 
and 
workplace 
safety 


Losses arisin 
from acts 
inconsistent with 


employment, 


health or safety 
laws or 


Employee 
relations 


e _Compensation, benefit, 


termination issues 


e Organised labour 


activity 





Safe 
environment 


e _ General liability (slip 


V.2 - consultation 





and fall etc) 
e Employee health and 
safety rules events 
e Workers compensation 
e All discrimination types 


agreements, 
from payment of 
personal injury 
claims, or from 
diversity / 
discrimination 
events 

Losses arising 
from an 
unintentional or 


negligent failure 





Diversity and 
discrimination 





Clients 


products and 
business 


practices 


e Fiduciary breaches / 
guideline violations 
e Suitability / disclosure 
issues (know-your- 
to meeta customer etc) 
professional ŝ 


Retail customer 
obligation to 


een disclosure violations 
specific clients e Peah paves 
(including 


: e Aggressive sales 
fiduciary and 


——— e Account churning 
suitabilit e Misuse of confidential 
requirements), or ——— 


: : information 
from the nature. e Lender liability 
or design of a 


product Antitrust 


Suitability, 
disclosure and 


fiduciary 





Improper e 

business or e Improper trade / market 

market practices 

practices” e Market manipulation 

e Insider trading (on firm’s 
account) 

e Unlicensed activity 


e Money laundering 


Product flaws e Product defects 


(unauthorised etc) 

e Model errors 

e Failure to investigate 
client per quidelines 


e Exceeding client 
exposure limits 








Selection, 


sponsorship 
and exposure 
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Activity examples 
(Level 3) 


e Disputes over 


performance of advisory 
activities 


Categories 
(Level 2) 


Advisory 
activities 


Definition 








Damage to 
physical 
assets 


Losses arising 
from loss or 
damage to 


physical assets 
from natural 


disaster or other 
events 


Disasters and 
other events 


Natural disaster losses 


Human losses from 


external sources 


(terrorism, vandalism) 





Business 


disruption 


and system 
failures 


Losses arising 
from disruption 
of business or 


system failures 


Systems 


Hardware 


Software 
Telecommunications 


e Utility outage / 


disruptions 





Execution, 
delivery and 
process 
management 


Losses from 


failed transaction 


processing or 
process 


management, 
from relations 


with trade 


counterparties 
and vendors 


Transaction 
capture, 
execution and 
maintenance 


Miscommunication 


e _ Data entry, 


maintenance or loading 


error 


Missed deadline or 


responsibility 


e Model / system 


e Accounting error / entity 


misoperation 


attribution error 


Other task 


misperformance 


e Delivery failure 


e Collateral management 


failure 


Reference data 


maintenance 





Monitoring and 
reporting 


e Failed mandatory 


reporting obligation 


Inaccurate external 


report (loss incurred) 
e Client permissions / 

disclaimers missing 
e Legal documents 

missing / incomplete 


e _Unapproved access 
given to accounts 





Customer 
intake and 
documentation 





Customer / 
client account 
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Definition Categories Activity examples 
—— (Level 2) (Level 3) 


management e Incorrect client records 
(loss incurred) 

e Negligent loss or 
damage of client assets 

Trade e _Non-client counterparty 

counterparties misperformance 

e Miscellaneous non- 
client counterparty 
disputes 

Vendors and e Outsourcing 

suppliers e _ Vendor disputes 
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